Posted
by
timothy
on Friday August 05, 2011 @05:18AM
from the when-found-they-were-mumbling-and-bleary dept.

twoheadedboy writes "Another day, yet another data security failure. Two companies have been found in breach of the Data Protection Act after tens of thousands of tenants' details were left at a London pub, alongside 800 records with bank account details. A contractor who had stored data from two different companies on an unencrypted USB drive was responsible. We've all lost things on a night out, but rarely is it other people's banking information. The two firms involved have been told to get a grip on their security procedures, but they escaped a fine from the ICO."

The police can usually be quite creative when it comes to punishing people when they do something stupid on a night out. There are vague concepts like 'public disorder' or 'disturbing the peace' which allow them to lock up someone for at least a night. Can't they apply that to a company that gets drunk? Close it down for 12 hours until it's sober again?

The ICO has failed time and time again to bring sanctions against infringers. Hell, BT tapped 100's of thousands of its customer's internet connections and never was sanctioned by the ICO or brought before a court to answer for its crimes. The ICO seems to take the attitude that the offenders just simply made a mistake and can't we just forget about it as we're sure they are sorry now -- they took action in just over 1% of cases and levied fines far less than that:

...the ICO acts on just 1.4% of data breaches and only fines 0.15% of offenders.

Really? Do you get caught and punished every time you do something bad? I've frankly sped (at 10, 20+ mph above posted limits) many times and done things that I'd be too embarrassed to admit on Slashdot. I've not been caught or punished for any of these transgressions. Yet.

All persons (both real and legal) get away with a lot of things they do; after scaling for size and influence of each person, I don't think there's a preferential treatment

But the point is that if you were caught doing 10-20mph above the posted limit you would almost certainly be punished for doing so...Whereas many corporations are caught doing illegal things, and simply aren't punished at all.

There's a difference between simply not being caught, and being caught but let off with little or no punishment. The fact we hear about something in the news means they've already been caught, how many other crimes go undetected?

A 100 euro fine is normal for a person making a relatively minor mistake... like doing something stupid while drunk, or speeding 10-20 mph.100 euro is 0.25% of a regular annual income of 40000 euro/year...

I'd like to see a big business take a fine of 0.25% of the revenue (revenue, not profit, obviously) for relatively small mistakes.Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.And that's for small mistakes.

Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.And that's for small mistakes.

Revenue is the wrong number to use. Use the percentage of earnings (or, if not actual reported earnings, at a minimum, revenues minus expenses directly related to generating those revenues), which is more comparable to a person's salary. You should arrive at a figure in the millions or hundreds of th

Revenue is the wrong number to use. Use the percentage of earnings [...]

You can argue that it must be paid from earnings (that's profit, isn't it?), or revenues minus expenses. Fair enough. But then we do that on both sides of the equation: We also calculate the percentage of a 100 euro fine compared to my annual savings.

Companies can put a LOT of stuff on expenses. They can put new shiny offices, heating and electricity, transportation including business trips and team-building events, new furniture, and company dinners and even the investments and expansions on expenses.So, I

If you fine the company, isn't this the same thing? You are taking value away from the capital value of each shareholder's assets in proportion to their holding. Agreed, it doesn't get around the fact that most have no say anyway, but it seems equitable. The main problem is that fines are always so small that the shareholders never notice.

Finland has an excellent law in this regard: fines are scaled in proportion to the perp's wealth. This means that an average person might pay (say) 25 euros for a moving violation, but a really rich person would pay tens of thousands.

If the purpose of a fine is to dissuade people from doing something, then this is an excellent idea - a rich person would never notice 25 currency units, nor would a company.

Take British telecom (mentioned earlier in this thread) for example: A revenue of about 30 billion euro / year. A minor mistake should lead to 0.25% of 30 billion = 75 million euro.
And that's for small mistakes.

By comparison, a couple of years ago when Shell Expro had a major gas leak in a production platform leg, killing two and putting several hundred at risk (if the gas had exploded, then one of the platform's three legs would have collapsed, dropping the whole platform into the sea in a matter of secon

Wow...
I mean it is really obvious to your lopsided opinion on this, but I wonder if you really think that or not.
The reality is that both entities, corporate and government are made up of people... people will do stupid things and probably at the same percentage or rate as both entities
However, to read what you wrote, you tend to think that there are far more people doing stupid things in Government than business. Where do you get your opinion from? One can only guess, but it seems statistically flawed

The difference is that companies (especially large ones) have teams of lawyers to shoot down those charges, or at least stall them long enough to make it not worth the time, while an individual does not. Same thing applies to the rich.

Why didnt they get a fine? The whole point of these acts is to stop this sort of thing happening so what is the exception? Lets see -

"The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 from Wandle Housing Association. Almost 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details."

So let 800 records that include customer bank accounts into the wild and no fine? But if I park my car on the street for an hour too long I get one. mmmm

Not only did they not get a fine, the contractor's name hasn't even been published so we have no idea who it is. Lewisham Homes and Wandle Housing are the names of the companies whose client's data was leaked. But the name of the contractor responsible for the breach has not been released. So you could end up hiring/contracting this guy.

The ICO is a toothless waste of tax-payers' money. They couldn't even be arsed to do anything about BT's use of Phorm.Fines should apply immediately (say £100 per breach), and quadrupled if the company did not disclose the breach itself. So in this case the contractor/councils should be staring down the barrel of a circa £2.6million fine. But they won't. All that will happen is that a few civil servants will be promoted, the council will mutter "lessons learned", the ICO will crow about monit

So basically, there will be no incentive to prevent damages. And since the people who are damaged won't know who did it, it won't really ever come back to them. It sure sounds to me like the whole ICO is just a crock. My bet is they are all bribed.

the BBC article has some more depth [bbc.co.uk] (and the site is _much_ faster...). the most interesting sentence is "The memory stick was handed into the police on the weekend of the 5th March and safely retrieved." (emphasis added)

The drive should have been encrypted, but can't really blame the guy for being human. We've all told ourselves over and over again not to forget we just put a pizza in the oven and then 20 minutes later start to smell burning.

There's absolutely no excuse as to why the drive wasn't encrypted. I totally blame the guy for knowingly transferring other people's data onto an unencrypted drive. Losing it is understandable (and would be forgivable if he'd encrypted it).

This is more like making a pizza with a dynamite topping and then leaving it in the oven too long (there's just no good reason to make a dynamite topped pizza).

I wonder if the author is making excuses for what appears to be another incident stemming from Britain's wide-spread drinking problem. I can't think of any other country with as many stories of the form "restricted-access data from XXX was left in a pub by a contractor/employee with company/agency YYY". Maybe it's just that the British press covers this expecially aggressively, or maybe it's really that too many Brittons are foolish and irresponsible ab

Left in Pub does not mean left in Pub by Drunken contractor - probably went in for food at lunchtime, and left it behind, just like others have left them on trains, taxi's etc when not drunk....Pubs in the UK are very often not just Bars, they are nearer Restaurants with a Bar...

There is a drinking culture in the UK, the problem is that the culture is to drink, without food, in order to get drunk, other countries drink as much, but with food (which lessens the effect), and consider being drunk to be ill

Exactly. "Pub" is short for "public house" which explains why they feel like someone's livingroom. That's the whole idea, and part of the culture: rather than sitting in your home alone during the evening, you can pop down to the pub and hang out with your friends in essentially the same atmosphere. Local pubs are one of the things that make travelling through the English countryside such a joy! I used to fly through London a fair bit and often would schedule a long stop-over so that I could pop in to t

I personally don't understand the appeal, but I'm deaf enough that pubs are horrendous conversation blackspots for me and I don't buy the "it's fun to get drunk" angle.

Then again, I bought a litre of vodka an hour ago..:)

The UK does appear to drink differently to most other European nations. I personally put it down to the puritans and their fucked up approach to life - by demonising alcohol they influenced the country into a lifestyle that doesn't introduce

Britain doesn't have a drinking problem, at least not to the extent that our media would have you believe. It's been hyped out of proportion on the back of badly designed government statistics, which reveal that large numbers of people regularly binge drink. At least, they do if you define "binge drink" as "drink more than the daily recommended alcohol allowance in a day", where the daily recommended alcohol allowance is 3 units for women or 4 for men (i.e. 2 pints of any reasonably strong lager is "binge

There is something called the data protection act that requires organisations which handle the private data of individuals to, like, protect it. We are all getting too used to the idea that when we give our personal data to a company, they somehow own it. They do not, and this is very clear in law, wherever sensible data protection legislation is in place.

Lose a prototype iPhone: Get into shit at workLose a USB drive with 800 banking records: Get into shit at workSell someone else's property: Get investigated for receiving stolen goods, money laundering, etc.Hand in USB drive found in pub to police: Get thanked.

The responsible course of action would be to anonymously post the data to Pastebin. Failure to do so will only result in the company in question getting off with little more than letter from the ICO.

Until there is an effective system in place to punish this sort of thing we are going to have to do it ourselves, and civil disobedience is justified. We have exactly the same problem with protests - they are utterly ignored until they turn violent for a sustained period. 2 million marched against invading Iraq

Welcome to the world of contracting, where you charge a high daily rate because you "get things done".

What you don't mention is that you get things done because you ignore all of the regulations, internal policies and procedures and other mechanisms designed to keep companies operating within the law and looking after their customers' data properly.

Sometimes you fuck up and get asked to leave your current contract - but don't worry, there'll be another one available within a week or two.

Who the hell brings tens of thousands of case details with them on a USB stick when they go to the pub? Taking a bit of work home over the weekend? Surely you would just access it on the employers VPN in that case?

The only plausible reason I can think of is that the person meant to give or sell it to someone who wasn't allowed to access it.